blackmoon | 0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
Size

1.6MB
MD5

4ef4c51a8b2b7938a1bec2332853742d
SHA1

1d51e0c79cc6be7d8906dcbc0bedd124ec5fb290
SHA256

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f
SHA512

fbfe08121a3bc9a5a84649df0c344efb9ebe83438a0c026c2ce954af8546535954610b824d7b056059db66e1d132b8424c7d3cd6ed4266f6747918a5e34d8e47
SSDEEP

12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq

Score

10^/10

blackmoon banker defense_evasion discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2272-5-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral1/memory/2880-12-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral1/memory/3064-43-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral1/memory/3064-44-0x0000000000BD0000-0x0000000000C5C000-memory.dmp	family_blackmoon
behavioral1/memory/2812-45-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral1/memory/2812-69-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral1/memory/2812-111-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral1/memory/2812-155-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral1/memory/3064-159-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral1/memory/3064-162-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon

Executes dropped EXE 27 IoCs

Processes:

crhjvd.execrhjvd.exe0042516313898691.exeuin77.exed6d7bdff.exeuin77.exed0824678.exeuin77.exeda4dd0f1.exeuin77.exedf1f0d97.exeuin77.exed9da9710.exeuin77.exed4853089.exeuin77.exed3db1c20.exeuin77.exedd86a699.exeuin77.exedddc8120.exeuin77.exedc136db8.exeuin77.exed6de0631.exeuin77.exed18890b9.exe

pid	process
2880	crhjvd.exe
3064	crhjvd.exe
2812	0042516313898691.exe
2704	uin77.exe
2728	d6d7bdff.exe
884	uin77.exe
2596	d0824678.exe
2956	uin77.exe
3008	da4dd0f1.exe
1800	uin77.exe
1092	df1f0d97.exe
2476	uin77.exe
1732	d9da9710.exe
2008	uin77.exe
1652	d4853089.exe
2096	uin77.exe
1356	d3db1c20.exe
2304	uin77.exe
1336	dd86a699.exe
1480	uin77.exe
852	dddc8120.exe
2792	uin77.exe
2928	dc136db8.exe
2724	uin77.exe
2400	d6de0631.exe
1032	uin77.exe
3012	d18890b9.exe

Loads dropped DLL 30 IoCs

Processes:

cmd.execrhjvd.exe0042516313898691.exeuin77.exeuin77.exeuin77.exeuin77.exeuin77.exeuin77.exeuin77.exeuin77.exeuin77.exeuin77.exeuin77.exeuin77.exeWerFault.exe

pid	process
2940	cmd.exe
2940	cmd.exe
3064	crhjvd.exe
3064	crhjvd.exe
2812	0042516313898691.exe
2704	uin77.exe
2812	0042516313898691.exe
884	uin77.exe
2812	0042516313898691.exe
2956	uin77.exe
2812	0042516313898691.exe
1800	uin77.exe
2812	0042516313898691.exe
2476	uin77.exe
2812	0042516313898691.exe
2008	uin77.exe
2812	0042516313898691.exe
2096	uin77.exe
2812	0042516313898691.exe
2304	uin77.exe
2812	0042516313898691.exe
1480	uin77.exe
2812	0042516313898691.exe
2792	uin77.exe
2812	0042516313898691.exe
2724	uin77.exe
2812	0042516313898691.exe
1032	uin77.exe
2912	WerFault.exe
2912	WerFault.exe

Indicator Removal: Clear Persistence 1 TTPs 4 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
defense_evasion

Clear Persistence
T1070.009

Processes:

cmd.execmd.execmd.execmd.exe

pid process

1532 cmd.exe
1456 cmd.exe
1596 cmd.exe
1076 cmd.exe

pid	process
1532	cmd.exe
1456	cmd.exe
1596	cmd.exe
1076	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

crhjvd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	crhjvd.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2272-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2272-5-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
\Windows\Fonts\aqclovne\crhjvd.exe	upx
behavioral1/memory/2880-12-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
\Windows\Temp\0042516313898691.exe	upx
behavioral1/memory/3064-21-0x0000000000BD0000-0x0000000000C5C000-memory.dmp	upx
behavioral1/memory/3064-43-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2812-45-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2812-69-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2812-111-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2812-155-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/3064-159-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3064-162-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.execrhjvd.exe

description	ioc	process
File created	\??\c:\windows\fonts\aqclovne\crhjvd.exe	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
File opened for modification	\??\c:\windows\fonts\aqclovne\crhjvd.exe	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
File created	\??\c:\windows\fonts\sdemlr\wounfhr.exe	crhjvd.exe
File created	\??\c:\windows\fonts\dvsfbn\ruvacoz.exe	crhjvd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2912 3064 WerFault.exe crhjvd.exe

pid	pid_target	process	target process
2912	3064	WerFault.exe	crhjvd.exe

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

uin77.exeuin77.exeschtasks.exeWMIC.execmd.exeWMIC.execmd.exeuin77.exeWMIC.exeWMIC.exeWMIC.exeWMIC.execmd.exeschtasks.exeuin77.exeWMIC.execmd.exeuin77.exePING.EXEcrhjvd.exeWMIC.execmd.exeWMIC.exeschtasks.execmd.exe0042516313898691.exeuin77.exeuin77.exeuin77.exeuin77.exeschtasks.exeuin77.execmd.exeWMIC.exeuin77.execmd.exeWMIC.exeWMIC.exe0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.execmd.exeuin77.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crhjvd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0042516313898691.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

2940 cmd.exe
2152 PING.EXE

Modifies data under HKEY_USERS 24 IoCs

Processes:

crhjvd.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27567E17-4DEB-44CD-9DEF-6832FA4C2BD2}	crhjvd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27567E17-4DEB-44CD-9DEF-6832FA4C2BD2}\WpadDecisionTime = 90a582a2df3ddb01	crhjvd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-0f-5f-cd-10-47\WpadDecisionTime = 90a582a2df3ddb01	crhjvd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	crhjvd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	crhjvd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	crhjvd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	crhjvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	crhjvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	crhjvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27567E17-4DEB-44CD-9DEF-6832FA4C2BD2}\WpadDecision = "0"	crhjvd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27567E17-4DEB-44CD-9DEF-6832FA4C2BD2}\1e-0f-5f-cd-10-47	crhjvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	crhjvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27567E17-4DEB-44CD-9DEF-6832FA4C2BD2}\WpadDecisionReason = "1"	crhjvd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27567E17-4DEB-44CD-9DEF-6832FA4C2BD2}\WpadNetworkName = "Network 3"	crhjvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-0f-5f-cd-10-47\WpadDecisionReason = "1"	crhjvd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	crhjvd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	crhjvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	crhjvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	crhjvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-0f-5f-cd-10-47\WpadDecision = "0"	crhjvd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	crhjvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	crhjvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	crhjvd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-0f-5f-cd-10-47	crhjvd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2152 PING.EXE

pid	process
2152	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.execrhjvd.execrhjvd.exeuin77.exed6d7bdff.exeuin77.exed0824678.exeuin77.exeda4dd0f1.exe0042516313898691.exeuin77.exedf1f0d97.exe

pid	process
2272	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
2880	crhjvd.exe
3064	crhjvd.exe
2704	uin77.exe
2704	uin77.exe
2704	uin77.exe
2704	uin77.exe
2728	d6d7bdff.exe
2728	d6d7bdff.exe
2728	d6d7bdff.exe
2728	d6d7bdff.exe
884	uin77.exe
884	uin77.exe
884	uin77.exe
884	uin77.exe
2596	d0824678.exe
2596	d0824678.exe
2596	d0824678.exe
2596	d0824678.exe
2956	uin77.exe
2956	uin77.exe
2956	uin77.exe
2956	uin77.exe
3008	da4dd0f1.exe
3008	da4dd0f1.exe
3008	da4dd0f1.exe
3008	da4dd0f1.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
2812	0042516313898691.exe
1800	uin77.exe
1800	uin77.exe
1800	uin77.exe
1800	uin77.exe
1092	df1f0d97.exe
1092	df1f0d97.exe
1092	df1f0d97.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe

pid process

2272 0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.execrhjvd.execrhjvd.exeuin77.exed6d7bdff.exeWMIC.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2272	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
Token: SeDebugPrivilege	2880	crhjvd.exe
Token: SeDebugPrivilege	3064	crhjvd.exe
Token: SeDebugPrivilege	2704	uin77.exe
Token: SeDebugPrivilege	2728	d6d7bdff.exe
Token: SeAssignPrimaryTokenPrivilege	2680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2680	WMIC.exe
Token: SeSecurityPrivilege	2680	WMIC.exe
Token: SeTakeOwnershipPrivilege	2680	WMIC.exe
Token: SeLoadDriverPrivilege	2680	WMIC.exe
Token: SeSystemtimePrivilege	2680	WMIC.exe
Token: SeBackupPrivilege	2680	WMIC.exe
Token: SeRestorePrivilege	2680	WMIC.exe
Token: SeShutdownPrivilege	2680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2680	WMIC.exe
Token: SeUndockPrivilege	2680	WMIC.exe
Token: SeManageVolumePrivilege	2680	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2680	WMIC.exe
Token: SeSecurityPrivilege	2680	WMIC.exe
Token: SeTakeOwnershipPrivilege	2680	WMIC.exe
Token: SeLoadDriverPrivilege	2680	WMIC.exe
Token: SeSystemtimePrivilege	2680	WMIC.exe
Token: SeBackupPrivilege	2680	WMIC.exe
Token: SeRestorePrivilege	2680	WMIC.exe
Token: SeShutdownPrivilege	2680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2680	WMIC.exe
Token: SeUndockPrivilege	2680	WMIC.exe
Token: SeManageVolumePrivilege	2680	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2820	WMIC.exe
Token: SeSecurityPrivilege	2820	WMIC.exe
Token: SeTakeOwnershipPrivilege	2820	WMIC.exe
Token: SeLoadDriverPrivilege	2820	WMIC.exe
Token: SeSystemtimePrivilege	2820	WMIC.exe
Token: SeBackupPrivilege	2820	WMIC.exe
Token: SeRestorePrivilege	2820	WMIC.exe
Token: SeShutdownPrivilege	2820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2820	WMIC.exe
Token: SeUndockPrivilege	2820	WMIC.exe
Token: SeManageVolumePrivilege	2820	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2820	WMIC.exe
Token: SeSecurityPrivilege	2820	WMIC.exe
Token: SeTakeOwnershipPrivilege	2820	WMIC.exe
Token: SeLoadDriverPrivilege	2820	WMIC.exe
Token: SeSystemtimePrivilege	2820	WMIC.exe
Token: SeBackupPrivilege	2820	WMIC.exe
Token: SeRestorePrivilege	2820	WMIC.exe
Token: SeShutdownPrivilege	2820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2820	WMIC.exe
Token: SeUndockPrivilege	2820	WMIC.exe
Token: SeManageVolumePrivilege	2820	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3012	WMIC.exe
Token: SeSecurityPrivilege	3012	WMIC.exe
Token: SeTakeOwnershipPrivilege	3012	WMIC.exe
Token: SeLoadDriverPrivilege	3012	WMIC.exe
Token: SeSystemtimePrivilege	3012	WMIC.exe
Token: SeBackupPrivilege	3012	WMIC.exe
Token: SeRestorePrivilege	3012	WMIC.exe
Token: SeShutdownPrivilege	3012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3012	WMIC.exe
Token: SeUndockPrivilege	3012	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.execrhjvd.execrhjvd.exe0042516313898691.exe

pid process

2272 0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
2880 crhjvd.exe
3064 crhjvd.exe
2812 0042516313898691.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.execmd.execrhjvd.exe0042516313898691.execmd.execmd.exeuin77.exeuin77.exeuin77.exe

description	pid	process	target process
PID 2272 wrote to memory of 2940	2272	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe	cmd.exe
PID 2272 wrote to memory of 2940	2272	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe	cmd.exe
PID 2272 wrote to memory of 2940	2272	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe	cmd.exe
PID 2272 wrote to memory of 2940	2272	0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe	cmd.exe
PID 2940 wrote to memory of 2152	2940	cmd.exe	PING.EXE
PID 2940 wrote to memory of 2152	2940	cmd.exe	PING.EXE
PID 2940 wrote to memory of 2152	2940	cmd.exe	PING.EXE
PID 2940 wrote to memory of 2152	2940	cmd.exe	PING.EXE
PID 2940 wrote to memory of 2880	2940	cmd.exe	crhjvd.exe
PID 2940 wrote to memory of 2880	2940	cmd.exe	crhjvd.exe
PID 2940 wrote to memory of 2880	2940	cmd.exe	crhjvd.exe
PID 2940 wrote to memory of 2880	2940	cmd.exe	crhjvd.exe
PID 3064 wrote to memory of 2812	3064	crhjvd.exe	0042516313898691.exe
PID 3064 wrote to memory of 2812	3064	crhjvd.exe	0042516313898691.exe
PID 3064 wrote to memory of 2812	3064	crhjvd.exe	0042516313898691.exe
PID 3064 wrote to memory of 2812	3064	crhjvd.exe	0042516313898691.exe
PID 2812 wrote to memory of 1076	2812	0042516313898691.exe	cmd.exe
PID 2812 wrote to memory of 1076	2812	0042516313898691.exe	cmd.exe
PID 2812 wrote to memory of 1076	2812	0042516313898691.exe	cmd.exe
PID 2812 wrote to memory of 1076	2812	0042516313898691.exe	cmd.exe
PID 2812 wrote to memory of 3024	2812	0042516313898691.exe	cmd.exe
PID 2812 wrote to memory of 3024	2812	0042516313898691.exe	cmd.exe
PID 2812 wrote to memory of 3024	2812	0042516313898691.exe	cmd.exe
PID 2812 wrote to memory of 3024	2812	0042516313898691.exe	cmd.exe
PID 2812 wrote to memory of 2704	2812	0042516313898691.exe	uin77.exe
PID 2812 wrote to memory of 2704	2812	0042516313898691.exe	uin77.exe
PID 2812 wrote to memory of 2704	2812	0042516313898691.exe	uin77.exe
PID 2812 wrote to memory of 2704	2812	0042516313898691.exe	uin77.exe
PID 1076 wrote to memory of 2660	1076	cmd.exe	schtasks.exe
PID 1076 wrote to memory of 2660	1076	cmd.exe	schtasks.exe
PID 1076 wrote to memory of 2660	1076	cmd.exe	schtasks.exe
PID 1076 wrote to memory of 2660	1076	cmd.exe	schtasks.exe
PID 3024 wrote to memory of 2680	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 2680	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 2680	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 2680	3024	cmd.exe	WMIC.exe
PID 2704 wrote to memory of 2728	2704	uin77.exe	d6d7bdff.exe
PID 2704 wrote to memory of 2728	2704	uin77.exe	d6d7bdff.exe
PID 2704 wrote to memory of 2728	2704	uin77.exe	d6d7bdff.exe
PID 2704 wrote to memory of 2728	2704	uin77.exe	d6d7bdff.exe
PID 3024 wrote to memory of 2820	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 2820	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 2820	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 2820	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 3012	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 3012	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 3012	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 3012	3024	cmd.exe	WMIC.exe
PID 2812 wrote to memory of 884	2812	0042516313898691.exe	uin77.exe
PID 2812 wrote to memory of 884	2812	0042516313898691.exe	uin77.exe
PID 2812 wrote to memory of 884	2812	0042516313898691.exe	uin77.exe
PID 2812 wrote to memory of 884	2812	0042516313898691.exe	uin77.exe
PID 884 wrote to memory of 2596	884	uin77.exe	d0824678.exe
PID 884 wrote to memory of 2596	884	uin77.exe	d0824678.exe
PID 884 wrote to memory of 2596	884	uin77.exe	d0824678.exe
PID 884 wrote to memory of 2596	884	uin77.exe	d0824678.exe
PID 2812 wrote to memory of 2956	2812	0042516313898691.exe	uin77.exe
PID 2812 wrote to memory of 2956	2812	0042516313898691.exe	uin77.exe
PID 2812 wrote to memory of 2956	2812	0042516313898691.exe	uin77.exe
PID 2812 wrote to memory of 2956	2812	0042516313898691.exe	uin77.exe
PID 2956 wrote to memory of 3008	2956	uin77.exe	da4dd0f1.exe
PID 2956 wrote to memory of 3008	2956	uin77.exe	da4dd0f1.exe
PID 2956 wrote to memory of 3008	2956	uin77.exe	da4dd0f1.exe
PID 2956 wrote to memory of 3008	2956	uin77.exe	da4dd0f1.exe

C:\Users\Admin\AppData\Local\Temp\0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe
"C:\Users\Admin\AppData\Local\Temp\0f1c1f4a16c1a7fae1fe4ee83e1a39e7f440e284ca143f021de1050a23ce7f0f.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\aqclovne\crhjvd.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2152
- - \??\c:\windows\fonts\aqclovne\crhjvd.exe
    c:\windows\fonts\aqclovne\crhjvd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2880

\??\c:\windows\fonts\aqclovne\crhjvd.exe
c:\windows\fonts\aqclovne\crhjvd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\TEMP\0042516313898691.exe
  C:\Windows\TEMP\0042516313898691.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN sawmu /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN sawmu /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bodw" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="rapmx" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bodw'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bodw" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2680
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="rapmx" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2820
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bodw'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\TEMP\d6d7bdff.exe
      "C:\Windows\TEMP\d6d7bdff.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2728
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\TEMP\d0824678.exe
      "C:\Windows\TEMP\d0824678.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2596
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\TEMP\da4dd0f1.exe
      "C:\Windows\TEMP\da4dd0f1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN sawmu /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1532
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN sawmu /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bodw" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="rapmx" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bodw'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bodw" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:460
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="rapmx" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bodw'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2084
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1800
  - - C:\Windows\TEMP\df1f0d97.exe
      "C:\Windows\TEMP\df1f0d97.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1092
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2476
  - - C:\Windows\TEMP\d9da9710.exe
      "C:\Windows\TEMP\d9da9710.exe"
      4⤵
      Executes dropped EXE
      PID:1732
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2008
  - - C:\Windows\TEMP\d4853089.exe
      "C:\Windows\TEMP\d4853089.exe"
      4⤵
      Executes dropped EXE
      PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN sawmu /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1456
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN sawmu /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bodw" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="rapmx" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bodw'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bodw" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2484
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="rapmx" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2520
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bodw'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:508
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2096
  - - C:\Windows\TEMP\d3db1c20.exe
      "C:\Windows\TEMP\d3db1c20.exe"
      4⤵
      Executes dropped EXE
      PID:1356
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2304
  - - C:\Windows\TEMP\dd86a699.exe
      "C:\Windows\TEMP\dd86a699.exe"
      4⤵
      Executes dropped EXE
      PID:1336
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1480
  - - C:\Windows\TEMP\dddc8120.exe
      "C:\Windows\TEMP\dddc8120.exe"
      4⤵
      Executes dropped EXE
      PID:852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN cbjue /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1596
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN cbjue /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="xbdqzs" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="omcdf" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='xbdqzs'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1272
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="xbdqzs" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2900
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="omcdf" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='xbdqzs'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1064
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2792
  - - C:\Windows\TEMP\dc136db8.exe
      "C:\Windows\TEMP\dc136db8.exe"
      4⤵
      Executes dropped EXE
      PID:2928
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2724
  - - C:\Windows\TEMP\d6de0631.exe
      "C:\Windows\TEMP\d6de0631.exe"
      4⤵
      Executes dropped EXE
      PID:2400
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1032
  - - C:\Windows\TEMP\d18890b9.exe
      "C:\Windows\TEMP\d18890b9.exe"
      4⤵
      Executes dropped EXE
      PID:3012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 784
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\d3db1c20.exe

Filesize
95KB

MD5
37ceaf944b56fe2c2756bc85675833d3

SHA1
0b484eeba2856154f7330b830b817b8dfb8bdff4

SHA256
8253f643d8be35a0673837e42f603e999831b1fbdf12ed3e02fd12faffd2d3b5

SHA512
e3b441dca8a21d88d4822d373e5f38691cf0cc2077cd74654eb720192688b54f822b2873110f7c62b059c31cd6bcddc9a3f0eedb400967a111dfdf627fcc25b2

Download Submit
\Windows\Fonts\aqclovne\crhjvd.exe

Filesize
1.7MB

MD5
01d3ffea1ba7db89685700c4b0b0a3c7

SHA1
891d336a96b0eb911635edfb8862ead68744e267

SHA256
49f5e25d904f6d09079c5d3b57ad346d583cd8d33f155f19cd111c0f1a1e756e

SHA512
af100e0397a21302b4d45c688e489ee358d967446b2bfaf45b36582b7e4542511213f3eee315ee05901fe9a418b47a8fcbe72c67a2ac39dd0654acf9cbdc9abd

Download Submit
\Windows\Temp\0042516313898691.exe

Filesize
244KB

MD5
de3b294b4edf797dfa8f45b33a0317b4

SHA1
d46f49e223655eca9a21249a60de3719fe3795e0

SHA256
d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

SHA512
1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

Download Submit
\Windows\Temp\d6d7bdff.exe

Filesize
95KB

MD5
9f82de8eb9762d17c989c30547596be7

SHA1
8ef1ec03a81a062d53d1bd92a7d8b111bf8e8093

SHA256
9c4ae984fcc5ddfffabe676745f564c6f3be21c6d015b3d6d98ab8939607c1fe

SHA512
503fe354ada08823f092305252fd7bd4d5731666fca02605936c1b6841fb0b52055ebc64aec1cff79341e3b02f0c2c6bb50c9ce8df593c14ff793bc20ba75fdb

Download Submit
\Windows\Temp\uin77.exe

Filesize
173KB

MD5
aca63ed77aa7bc9e9c1a58d6b241e119

SHA1
f94960514406070d5d25890aab87ba912345cd14

SHA256
59663a9ab349e86375786c7e3276edabc609ea2c2b46c81809659a2b17d1dde4

SHA512
bfbcba0aef2790375958e78f74960ccdf8d868716da55007a793953a52e50e00d0f8dcb088008294ae6887b06ec7afcabcbc64aacbb3d76997f25d62dbf43bb0

Download Submit
\Windows\Temp\uin77.exe

Filesize
173KB

MD5
05d468ea5b21e2c554b8fbdbb053d240

SHA1
6e231a2891434789eb082b755c7f3b126afb79b0

SHA256
858bdb569192fd6ae6c7355e19cadbe05ca28ce50fc4b1fea6cee20cb8b8cbd8

SHA512
670b40f0e62184352b4365a6b5b5151a326b73674d06643dc64ff8b544249025e95ddc6d7b5a9a817fb780831211dfc0adae4c1d4c36d9c07b3d6a7338bcf029

Download Submit
memory/2272-5-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2272-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2812-45-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2812-155-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2812-69-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2812-111-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2880-12-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2940-33-0x0000000002080000-0x0000000002166000-memory.dmp

Filesize
920KB

Download
memory/3064-22-0x0000000000BD0000-0x0000000000C5C000-memory.dmp

Filesize
560KB

Download
memory/3064-44-0x0000000000BD0000-0x0000000000C5C000-memory.dmp

Filesize
560KB

Download
memory/3064-43-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3064-21-0x0000000000BD0000-0x0000000000C5C000-memory.dmp

Filesize
560KB

Download
memory/3064-159-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3064-162-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download